Summary
Under the CCPA, collecting email addresses at brick-and-mortar stores requires strict adherence to several principles. Businesses must provide a clear 'notice at collection,' outlining the purpose of data collection and linking to their privacy policy. Standard data capture methods may not suffice, necessitating updated processes for compliance. Email addresses are considered personal information, granting consumers rights to access and deletion. Explicit consent is mandatory for marketing purposes, precluding pre-checked boxes. Furthermore, companies must facilitate offline CCPA rights requests, provide consumers an easy method to opt-out and maintain an inventory of data collection processes. Staff training on CCPA is critical. If third-party vendors are involved, businesses remain liable for their compliance. Poor data quality from point-of-sale collections highlights the need for cleansing.
Key findings
- Notice at Collection: A 'notice at collection' is mandatory, informing consumers about data collection practices.
- Explicit Consent: Explicit consent is required for marketing emails, disallowing pre-checked boxes or implied agreement.
- Offline Rights: Brick-and-mortar locations must facilitate offline CCPA rights requests (access, deletion).
- Data Inventory: Maintaining inventory for all data collection processes and how to give notice/consent
- Staff Training: Staff must be trained in line with CCPA for in-person collection
- Opt-Out Mechanism: Need to provide simple opt-out
- Third Party Liability: Using third parties is OK, however you are still liable for their processes.
Key considerations
- Update Processes: Review and update in-store data collection processes for CCPA compliance.
- Train Staff: Implement a training program to keep up with the requirements.
- Signage Placement: Need to ensure adequate signage is on show.
- 3rd Party Check: If you use third parties, ensure you review their processes and contracts.
What email marketers say
8 marketer opinions
Under the California Consumer Privacy Act (CCPA), collecting email addresses in person at a brick and mortar store requires businesses to adhere to specific regulations. The purpose of collecting the email must be clearly stated and limited; if intended for marketing beyond a transaction, explicit opt-in consent is mandatory, prohibiting pre-checked boxes or implied consent. Businesses must provide a 'notice at collection,' often through conspicuous signage linking to the privacy policy at the point of sale. Staff training on CCPA requirements is essential to ensure proper handling of data and consumer rights requests. Moreover, businesses need to maintain an inventory of all data collection processes, including methods for notice and consent. A straightforward opt-out mechanism for future communications must be available. If using a third-party for data collection, businesses remain liable for their CCPA compliance. These measures collectively ensure transparency, consumer control, and compliance with the CCPA when gathering email addresses in a physical retail environment.
Key opinions
- Purpose Limitation: CCPA mandates clearly specifying the purpose for email collection; use beyond the stated purpose requires additional consent.
- Explicit Opt-In: Marketing emails necessitate explicit opt-in consent, invalidating pre-checked boxes or implied agreement.
- Notice at Collection: Businesses must provide clear notice, often via signage, at the point of sale, linking to the privacy policy.
- Staff Training: Properly training staff on CCPA requirements is crucial for handling data and consumer requests correctly.
- Data Inventory: Maintaining a data inventory is required that should document all data collection processes to ensure you are compliant.
- Opt-Out Mechanism: A clear and easy method for consumers to opt-out of future communications must be provided.
- Third-Party Liability: Businesses remain liable for CCPA compliance even when using third-party data collectors.
Key considerations
- Consent Forms: Ensure consent forms used in-store explicitly state the purpose of data collection and provide a clear opt-in mechanism for marketing communications.
- Signage Placement: Strategically place signage informing customers about email collection practices and linking to the privacy policy for easy access.
- Training Programs: Implement comprehensive training programs for staff to understand and comply with CCPA requirements during in-person data collection.
- Vendor Due Diligence: If using third-party vendors for data collection, conduct thorough due diligence to ensure their CCPA compliance and data security practices align with business requirements.
- Data Audits: Regularly audit data collection processes to ensure compliance with CCPA and identify areas for improvement.
- Review Privacy Policy: Review and ensure your privacy policy is up to date.
Marketer view
Email marketer from Reddit user u/CCPA_advice explains that if you are collecting email addresses at point of sale, the collection form must clearly state what you are going to use the email address for. Further you should get express consent to send marketing material, this cannot be a pre-checked box.
4 Nov 2022 - Reddit
Marketer view
Email marketer from onetrust.com responds that a business needs clear and conspicuous signage at the point of sale indicating that email addresses are being collected and providing a link to the privacy policy. This signage serves as the 'notice at collection' required by the CCPA.
23 Jun 2021 - onetrust.com
What the experts say
3 expert opinions
Collecting email addresses in person at brick-and-mortar stores under the CCPA presents unique challenges. Standard address capture methods may not comply with requirements like providing notice at collection. Data quality from point-of-sale (PoS) collections can be poor, necessitating cleansing before reuse. Businesses must offer in-store methods for consumers to exercise their CCPA rights, such as providing forms for access or deletion requests. For marketing purposes, explicit consent is essential, requiring clear communication of the purpose and affirmative agreement from the consumer.
Key opinions
- Notice at Collection Challenges: Meeting notice at collection requirements can be trickier in brick-and-mortar settings.
- Poor Data Quality: Email addresses collected at the point of sale often have low quality and require cleaning.
- In-Store Rights Requests: Businesses must facilitate CCPA rights requests in physical locations.
- Explicit Consent Required: Explicit consent is needed for using collected email addresses for marketing purposes.
Key considerations
- Update Collection Processes: Review and update existing address capture processes to ensure they meet CCPA requirements.
- Implement Data Cleansing: Establish a data cleansing process to improve the quality of email addresses collected at the point of sale.
- Provide Forms for Rights: Make appropriate forms readily available at retail locations to facilitate consumer CCPA rights requests.
- Obtain Express Agreement: Implement a clear and unambiguous method to obtain explicit consent for marketing emails.
Expert view
Expert from Email Geeks explains that there are several CCPA requirements that are trickier to fulfill at a brick and mortar collection, such as notice at collection. An existing address capture approach, or one imported from Nevada, likely won't comply.
7 Aug 2022 - Email Geeks
Expert view
Expert from Email Geeks shares that addresses given at PoS are, in many cases, absolutely filthy, and businesses operating a website but primarily interacting with customers in person at a retail location must offer in-store consumers a form that can be submitted in person to make CCPA rights requests. Businesses that substantially interact with consumers offline must also provide notice to the consumer by an offline method that facilitates consumer awareness of their right to opt-out, requiring companies with brick-and-mortar locations accept CCPA requests offline and have appropriate forms ready at retail locations to facilitate them.
8 Apr 2022 - Email Geeks
What the documentation says
4 technical articles
The CCPA mandates specific requirements for collecting email addresses in person at brick-and-mortar stores. Businesses must provide a 'notice at collection' informing consumers about the categories of personal information collected and the intended purposes. Email addresses fall under the broad definition of 'personal information' covered by the CCPA. Companies with physical locations must accept CCPA requests offline, ensuring forms are available for consumers to request access or deletion of their data. Consumers possess the right to request access to and deletion of their personal information, necessitating businesses to establish processes for handling these requests effectively, even for data collected in person.
Key findings
- Notice at Collection Required: Businesses must provide notice at collection, informing consumers about the data being collected and its intended use.
- Email Addresses as Personal Information: Email addresses are considered 'personal information' under CCPA regulations.
- Offline Request Acceptance: Companies must accept CCPA rights requests (access, deletion) offline at physical locations.
- Consumer Rights: Consumers have the right to request access to and deletion of their personal information, even if collected in person.
Key considerations
- Implement Notice Mechanisms: Establish clear mechanisms for providing the 'notice at collection,' such as signage or verbal notifications.
- Update Privacy Policies: Ensure privacy policies are updated to reflect in-person data collection practices and CCPA compliance.
- Develop Offline Request Processes: Create processes for handling CCPA rights requests received offline, including providing necessary forms and training staff.
- Data Security Measures: Implement robust data security measures to protect personal information collected in person from unauthorized access or breaches.
Technical article
Documentation from iapp.org explains that the CCPA requires businesses to provide consumers with a notice at collection, informing them about the categories of personal information being collected and the purposes for which the information will be used. This notice must be provided before or at the point of collection, and applies to in-person collection at brick and mortar stores.
3 Jan 2024 - iapp.org
Technical article
Documentation from jdsupra.com states that companies with brick-and-mortar locations must accept CCPA requests offline and have appropriate forms ready at retail locations to facilitate them. This includes allowing consumers to request access to or deletion of their personal information collected in-store.
8 Oct 2021 - jdsupra.com
Are claims of 90 million email 'protestors' who do more than mark as spam accurate, and do ESPs sell data?
Are cold outreach 'best practices' actually illegal spam tactics?
Can an ESP allow its users to use the ESP's physical address in marketing emails under CAN-SPAM?
Do commercial emails in the USA and Canada require a physical address?
Do email marketing opt-outs ever expire?
How can I identify and prevent spam/bot traffic at email subscription points?
